Quick start steps with Conditional Access for Applications

In this topic, you will learn the steps you need to take to configure the Portnox™ Conditional Access for Applications service.

If you already completed some of the steps, proceed to the next steps.

Note: Portnox Cloud has functions to control network access, not just access to applications. If you only use Portnox Cloud for Conditional Access, in any of the configuration steps, you can skip the steps relating to network access and do only the steps related to application access.
  1. Create a Portnox Cloud tenant to access the service.

    In this step, you create an account with Portnox Cloud and your own tenant. You only need to do this once.

  2. Log in to Portnox Cloud to start working with the service.

    In this step, you access the tenant that you created earlier. You must complete this step every time you want to work with Portnox Cloud.

  3. Create and configure your individual Portnox Cloud RADIUS servers.

    In this step, you create RADIUS server or servers. These servers are used by your network devices to authenticate, authorize, and account network clients. You only need to do this once.

  4. Configure your cloud-based authentication repository in Portnox Cloud.

    For example:

  5. Configure an identity provider.

    The identity provider is a web app, often configured in your authentication repository, that checks the identity of users of web applications. You should set up an identity provider that can work with the authentication repository you set up earlier in this process.

  6. Configure applications to use Conditional Access.

    For each web application, the setup steps are different. We have a collection of guides for well-known web applications. However, if your application is not on the list, look at your application’s administrative guide. Search for topics like SAML integration.

  7. Install AgentP on user devices or ask users to install AgentP on their devices.

    • If you want users to install AgentP, send them the following link: https://docs.portnox.com/caa/. These are end-user instructions for all popular desktop/mobile operating systems: Windows, macOS, iOS, and Android. They teach the users how to install AgentP and how to access applications using Conditional Access.

    • If you want to automatically distribute AgentP to user devices, here are some guides for popular endpoint management systems:
  8. Configure groups, policies, and more.

    Once you have Conditional Access working, you can now adjust it specifically to your needs.

    1. Manage groups of application users.

      Groups allow you to set different access policies for different users. For example, you can allow only your developers to access your development applications, and only your finance department to access your finance applications. If you choose to control this access at the application-level, you can create one group for all users.

      Note: By default, your Portnox Cloud portal has one group called Default, which contains all your users that are not specifically assigned to any other groups.
    2. Configure risk assessment policies and assign them to groups.

      Risk assessment policies help you check if a user’s device is secure enough to access applications. You can give different importance to various conditions, like not having antivirus software or using an old version of the operating system. If the total score exceeds a certain limit, you can consider the device as unsafe.

      Note: By default, your Portnox Cloud portal has one risk assessment policy called System Default Policy, which is set up with recommended security measures for all operating systems, and which is assigned to the Default group.
    3. Configure access control policies for applications and assign them to groups.

      An access control policy for an application decides what to do if the risk assessment policy labels the device as unsafe. You can choose to let unsafe devices use your applications, or you can tell the user what they should do to make their device safe.

      Note: By default, your Portnox Cloud portal has one access control policy called System Default Policy, which is set up to deny access to unsafe devices, and which is assigned to the Default group.